Python Python

  1. Vendors
  2. Python

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Python product.

RSS Feeds for Python security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Python products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Python Sorted by Most Security Vulnerabilities since 2018

Python119 vulnerabilities

Python Pillow40 vulnerabilities

Python Urllib311 vulnerabilities

Cpython8 vulnerabilities

Python Pip8 vulnerabilities

Python Requests5 vulnerabilities

Python Setuptools3 vulnerabilities

Python Typed Ast2 vulnerabilities

Python Novajoin1 vulnerability

Python Pybluemonday1 vulnerability

Python Pycryptodome1 vulnerability

Python Pypi1 vulnerability

Python Pypiserver1 vulnerability

Python Jw Util1 vulnerability

Python Gnupg1 vulnerability

Python Pyxdg1 vulnerability

Python Tablib1 vulnerability

Python Tkvideoplayer1 vulnerability

Python Aiohttp1 vulnerability

By the Year

In 2026 there have been 1 vulnerability in Python with an average score of 4.5 out of ten. Last year, in 2025 Python had 16 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Python in 2026 could surpass last years number. Last year, the average CVE base score was greater by 2.23




Year Vulnerabilities Average Score
2026 1 4.50
2025 16 6.73
2024 16 6.58
2023 18 6.38
2022 22 7.57
2021 28 7.45
2020 24 7.67
2019 24 7.42
2018 11 7.68

It may take a day or so for new Python vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Python Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-22702 Jan 10, 2026
virtualenv is a tool for creating isolated virtual python environments virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.
CVE-2025-12084 Dec 03, 2025
Python XML DOM minidom quadratic appendChild CVE-2025-12084 When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.
Python
CVE-2025-13837 Dec 01, 2025
Python plistlib OOM DoS via malicious plist When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues
Python
CVE-2025-8291 Oct 07, 2025
Python zipfile ZIP64 EOCD Locator offset validation flaw The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.
Python
CVE-2025-8869 Sep 24, 2025
pip TAR Extraction Vulnerability: Symbolic Links without PEP706 When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.
Pip
CVE-2025-8194 Jul 28, 2025
cPython TarFile Infinite Loop via Negative Offset There is a defect in the CPython tarfile module affecting the TarFile extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the tarfile module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1
Python
CVE-2025-50182 Jun 19, 2025
urllib3 v2.2.0-2.5.0 redirect control flaw in Pyodide browser runtimes urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.
Urllib3
CVE-2025-6069 Jun 17, 2025
Python HTMLParser Quadratic Complexity DoS Vulnerability The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
Python
CVE-2024-47081 Jun 09, 2025
Requests before 2.32.4 leaks .netrc credentials via URL parsing Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.
Requests
CVE-2024-12718 Jun 03, 2025
Python 3.12+ Tarfile Filter CVE-2024-12718: External Metadata Modification Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
Python
CVE-2025-4517 Jun 03, 2025
Python tarfile Arbitrary FS Write via filter='data' (pre-3.14) CVE-2025-4517 Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
Python
CVE-2025-4330 Jun 03, 2025
Python 3.14+ tarfile Filter Bypass for Symlink Extraction Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
Python
CVE-2025-4138 Jun 03, 2025
Python 3.14+ tarfile extraction filter bypass (symlink outside dir) Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
Python
CVE-2025-47273 May 17, 2025
setuptools <78.1.1 Path Traversal via PackageIndex allows file write setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
Setuptools
CVE-2024-3220 Feb 14, 2025
Python CPython Mimetypes MemoryError on Startup via Writable File Locs Windows There is a defect in the CPython standard library module mimetypes where on Windows the default list of known file locations are writable meaning other users can create invalid files to cause MemoryError to be raised on Python runtime startup or have file extensions be interpreted as the incorrect file type. This defect is caused by the default locations of Linux and macOS platforms (such as /etc/mime.types) also being used on Windows, where they are user-writable locations (C:\etc\mime.types). To work-around this issue a user can call mimetypes.init() with an empty list ([]) on Windows platforms to avoid using the default list of known file locations.
Python
CVE-2024-57956 Feb 06, 2025
Out-of-Bounds Read in Python's String Interpreter Module Out-of-bounds read vulnerability in the interpreter string module Impact: Successful exploitation of this vulnerability may affect availability.
Python
CVE-2025-0938 Jan 31, 2025
Python urllib.parse: Invalid Square Bracket URL Parsing Issue The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.
Python
CVE-2024-12254 Dec 06, 2024
Python 3.12+ Asyncio._SelectorSocketTransport Memory Exhaustion via writelines() Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.
Python
CVE-2024-52304 Nov 18, 2024
aiohttp <3.10.11 Request Smuggling via Incorrect Chunk Extension Parsing aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.
Aiohttp
CVE-2024-11168 Nov 12, 2024
Python urllib.parse SSRF Vulnerability via Improper Host Validation The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
Python
CVE-2024-9287 Oct 22, 2024
CVE-2024-9287: CPython venv CLI Command Injection via Unquoted Paths A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
Python
Cpython
CVE-2024-6232 Sep 03, 2024
CPython ReDoS via Regex in tarfile Header Parsing There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
Python
Cpython
CVE-2024-7592 Aug 19, 2024
CPython http.cookies Quadratic Complexity CPU Exhaustion (CVE20247592) There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.
Python
Cpython
CVE-2024-6923 Aug 01, 2024
CPython Email Module Header Injection via Improper Newline Quoting There is a MEDIUM severity vulnerability affecting CPython. The email module didnt properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.
Cpython
CVE-2024-3219 Jul 29, 2024
CPython SocketModule AF_INET socketpair race (Win), 3.5+ The socket module provides a pure-Python fallback to the socket.socketpair() function for platforms that dont support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer. Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.
Python
CVE-2024-6345 Jul 15, 2024
setuptools <=69.1.1 RCE via download URL injection A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
Setuptools
CVE-2024-5642 Jun 27, 2024
CPython 3.9+ SSLContext.set_npn_protocols Empty List Buffer Over-Read CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).
Python
CVE-2024-4032 Jun 17, 2024
Python ipaddress CVE-2024-4032 incorrect is_private/is_global until v3.12.4 The ipaddress module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as globally reachable or private. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldnt be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.
Python
Cpython
CVE-2024-35195 May 20, 2024
Requests <2.32: Session cert verify bypass persists Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.
Requests
CVE-2024-4030 May 07, 2024
Python tempfile.mkdtemp() Improper Permission Handling on Windows On Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the correct permissions from the default location. Alternate configurations or users without a profile directory may not have the intended permissions. If youre not using Windows or havent changed the temporary directory location then you arent affected by this vulnerability. On other platforms the returned directory is consistently readable and writable only by the current user. This issue was caused by Python not supporting Unix permissions on Windows. The fix adds support for Unix 700 for the mkdir function on Windows which is used by mkdtemp() to ensure the newly created directory has the proper permissions.
Python
CVE-2024-28219 Apr 03, 2024
Pillow 10.2.0 Buffer Overflow in _imagingcms.c via strcpy In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.
Pillow
CVE-2024-0450 Mar 19, 2024
CVE-2024-0450: CPython <3.12.2 Vulnerable to ZipBombs via zipfile Module An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to quoted-overlap zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
Cpython
CVE-2023-50447 Jan 19, 2024
Pillow <=10.1.0 PIL.ImageMath.eval Arbitrary Code Exec via env Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
Pillow
CVE-2023-6507 Dec 08, 2023
CPython 3.12.0 subprocess setgroups regression causes PID root privilege issue An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list. This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).
Python
Cpython
CVE-2023-44271 Nov 03, 2023
Pillow <10.0.0 - DOS via memory overallocation in ImageFont Truetype An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
Pillow
CVE-2023-5752 Oct 25, 2023
Pip <23.3 Config Injection via Mercurial VCS URLs When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
Pip
CVE-2023-45803 Oct 17, 2023
HTTP Redirect Body Leakage in urllib3 <1.26.18 / <2.0.7 urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.
Urllib3
CVE-2018-25091 Oct 15, 2023
urllib3 <1.24.2 Does Not Drop Auth Header on Cross-Origin Redirect urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).
Urllib3
CVE-2023-43804 Oct 04, 2023
urllib3 Redirect Cookie Header Leak Before 1.26.17/2.0.5 urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
Urllib3
CVE-2023-40217 Aug 25, 2023
Python TLS Client Cert Auth Bypass pre 3.8.18/3.9.18/3.10.13/3.11.5 An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
Python
CVE-2023-41105 Aug 23, 2023
Python 3.11.x Null-Byte Truncation in os.path.normpath An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.
Python
CVE-2022-48564 Aug 22, 2023
Python plistlib DoS before 3.9.1 via malformed binary PLIST read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.
Python
CVE-2022-48565 Aug 22, 2023
XXE in Python plistlib <3.9.1 An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
Python
CVE-2022-48566 Aug 22, 2023
Python 3.9.1 HMAC.compare_digest Constant-Time Defeat via Accumulator An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.
Python
CVE-2022-48560 Aug 22, 2023
Python 3.9 Use-After-Free via heapq.heappushpop A use-after-free exists in Python through 3.9 via heappushpop in heapq.
Python
CVE-2023-38898 Aug 15, 2023
Python 3.7 _asyncio._swap_current_task data leak An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there are no common scenarios in which an adversary can call _asyncio._swap_current_task but does not already have the ability to call arbitrary functions; and (3) there are no common scenarios in which sensitive information, which is not already accessible to an adversary, becomes accessible through this bug.
Python
CVE-2023-36632 Jun 25, 2023
Python email.utils.parseaddr RecursionError via crafted argument (pre-3.11.5) The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.
Python
CVE-2023-33595 Jun 07, 2023
Python CPython v3.12.0a7 UAF via ascii_decode CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c.
Cpython
Python
CVE-2023-32681 May 26, 2023
Requests 2.3.02.30.0 Leak ProxyAuth Headers Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
Requests
CVE-2023-27043 Apr 19, 2023
Python 3.11.3 Email Parsing Bug Allows Domain Bypass The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.
Python
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.